Introduction

pam_fprint is a simple PAM module which uses libfprint's fingerprint processing and verification functionality for authentication. In other words, instead of seeing a password prompt, you're asked to scan your fingerprint.

pam_fprint is a proof-of-concept, and also my-first-PAM-module. It has some deficiencies:

Can't be configured in any way.

Finds the first enrolled fingerprint that can be verified on a device that is currently plugged in, and uses that one and only that one.

Reads enrolled fingerprints from users home directories.

It will only work when trying to authenticate your own user account (as you can read your own home directory), or in the system login prompt (which runs as root).

You cannot authenticate yourself as another user, since you don't have access to read that user's home directory.
pam_fprint is an open source project, licensed under the GNU GPL v2.

On my system, that simply equated to inserting line 2. It says that authentication through pam_fprint is sufficient to grant access to the user, but if pam_fprint fails to authenticate them, it's no big deal: fall back on password (pam_unix).

This is somewhat insecure in that someone can simply unplug the fingerprint reader and enter your password as normal, so password security is as critical as always and fingerprint login is just for the cool factor.

Fingerprint acceptance required, no password input

Make the auth section of /etc/pam.d/system-auth look like this:

auth required pam_env.so
auth required pam_fprint.so

and remove other auth entries.

This setup requires successful fingerprint verification through libfprint before login can succeed. I would not recommend doing this at this point in time, because libfprint is alpha software, and if it breaks, you're in trouble!